There are five tasks in this assignment focusing on various aspects of security. Each task requires a report of approximately 1000 words to be completed along to be completed with accompanying materials. I am expected to complete the task and demonstrate that I have acquired the following knowledge and skills:

I Understanding of common security issues and their corresponding solutions.

And I Understanding of the security assurance processes and the benefits of security testing, as well as showing awareness of state-of-the-art tools and techniques for the purpose.

I understand of the encryption technologies. Understanding of the protective, detective and corrective security controls in the main operating systems.

And at last I define various security standards

In this task have a scenario of Total Cost of Ownership (TCO) and Annualized Loss Expectancy (ALE). This scenario is given below –

The Company has 8 web servers, costing $15,000 each, and two database servers, costing $25,000 each. These servers have a lifespan of five years. The annual support contracts on these are $1500 and $2500 respectively. The company employs two web administrators and an infrastructure administrator at $40,000 per annum each. Their annual turnover is $46m. It is estimated that it costs them 0.2% of the TCO for their system in each breach due to reconfiguration, lost work and delayed development. This is in addition to any lost earnings due to the website being offline.

In this scenario I complete those activities-

I Calculate the TCO for their current system.

I calculate the ALE for this system.

To prevent such breaches, I have estimated that they require a security administrator for 2 days per week. I calculate their annual savings if they employed a part time security administrator.

I calculate the Total cost of ownership (TCO) and it is given below-

Total cost of ownership (TCO)

TCO is the estimate of financial. It is very helpful to consumers and managers to determine direct and indirect cost of a system or product. It is a concept of management accounting. It can be used in even ecological economics or full cost accounting where it is adding social cost. It is analysis includes total cost of acquisition and operating costs. And it is also apply by credit markets and financing agencies.

Total Cost of Ownership (TCO)

Hardware cost

Web server = 8 * $1500 = $1, 20,000

Database server = 2 * $25,000 = $50,000

Hardware cost = ($1, 20,000 + $50,000) = $1, 70,000

Annul support cost

Web server = 8 * $1500 = $1, 20,000

Database server = 2 * $25,000 = $50,000

Annul support cost = ($1, 20,000 + $50,000) = $1, 70,000

So for 5 years = ($1, 70,000*5) = $85,000

Employee cost

Employee cost = 3 * $40,000 = $1, 20,000

So 5 years cost = $1, 20,000 * 5 = $6, 00,000

TCO= ($1, 70,000 + $85,000 + $6, 00,000) = $8, 55,000

I calculate the ALE for this system and it is given below-

The annualized loss expectancy (ALE) is the combination of the annual rate occurrence (ARO) and the single loss expectancy.

ALE

Annual turnover = $46000000

Per hour income = $46000000 / 8760 = $5,250

So breach offline cost = ($5,220 * 10 hours) = $52,500

Each breach cost = (0.2% of TCO) = $8, 55,000 * 0.2% = $ 1,710

($ 1,710*3) = $5,130

ALE = ($52,500 + $5,130) = $57,630

I calculate their annual saving and it is given below-

Salary 1 year =$40, 000

So 365 days salary = $40, 000

1 days salary = ($40, 000 / 356) = $109.5

So weeks per year = 52 week

Total working day = (52*2) = 104 days

So annual salary is = (104 * $109.5) = $11,388

So saving = ($40,000 - $11,388) = $28,612

Summary

In this task I understand the total cost ownership, Annualized loss expectancy and saving. And I also understand how to apply to those terms on company. Now I calculate the TCO, ALE and Savings.

Task-02

Introduction

I give my segregation to create network architecture for the company. I provide a basic network diagram and full explanation and justification for the company. I identify the major components required to deliver an online retailing website and I include a database, firewall, and web server.

The network diagram / Architecture

This is my network diagram.

Figure: The network diagram

Generally type of diagram is a network diagram, which defines some type of network. In generally interconnected group or system is called a network. There are different types of network diagrams-

Artificial neural network

Computer network diagram

Neural network diagram

A semantic network

The components of network diagram

Computer

The computer is the basic components of network diagram. It is the primary function of the network diagram. It is fully unthinkable to create computer network structure without it.

Hub

In the computer networking it is use like small, inexpensive and simple device. It is join a lot of computer each other. In present day many hubs support the Ethernet standard. At first it is connect an Ethernet cable into the unit, and then it is connect the other end of the cable to each computer’s network interface card. It is used RJ-45 connectors to connect in NIC card.

Switch

A network switch is a computer networking device and it is connects network segments. The term refers to a network bridge the processes and routes data in the data link layer of OSI model. It is actually process the network layer.

Unmanaged switches: This type of switch has no configuration interface / options.

Managed Switches- These types of switches have managed. It is modify the operation of the switch.

Smart switches: This type of switch is intelligent. It is managed switches with a limited set of management features. Enterprise Managed switches: this type of switch is fully managed. It is include command line interface, web interface and SNMP agent. The enterprise managed switch is a version of stackable switch

The management features of switch-

It is turn off some particular port

It is create duplex settings and link speed

It is generate the priority setting for ports

It is use of spanning tree protocol and VLAN settings

It has IGMP snooping and 802.1x network access control

Figure: the picture of Switch

Modem

A modem is a one kind of computer device. It main work is converting signal. It is converting digital signal to analog signal and analog signal to digital signal. The example is to produce a signal that can be transmitted easily and decoded to reproduce The original digital data. It can be used over any means of transmitting analog signals, from driven diodes to radio.

Figure: the picture of Modem

Network Interface Card

The network interface card is devise that is define the establish network connection and provides the hardware interface to computer and a network each other. It is provides an interface to the media. It is simply contains the protocol control firmware and Ethernet controller. And it is needed to support the MAC data link protocol use by Ethernet.

Figure: for connection, Network Interface Card of a computer to an Ethernet Network.

Router

A router is device. It is interconnects two or more computer networks. It is defining the source and destination is on the same network. And it is also refer the data packet must be transferred from one network to another network. It is software and hardware is customized to the tasks of routing and forwarding information.

Figure: the picture of router

Firewall

It is the physical barrier inside designed, structural collapse and heat. It is the part of a network system. It is a device which is permit to configure or deny computer applications based upon a set of rules.

Figure: the picture of firewall

Web server

The web server is a one kind of computer program. It is delivers web pages by using the Hypertext Transfer protocol over the World Wide Web. The feature of web server-

Virtual hosting to use many Web sites using one IP address.

Server-side scripting to generate dynamic Web pages, but still keeping Web server and Web site implementations separate from each other.

Figure: the picture of world first web server.

Summary

In this task complete the basic network diagram. At first I draw the network diagram and I complete elaborate the component. And I last I desire it is very simple to draw the network diagram. I clear my idea to recherché many website. At last it is very hell full to go head in the future.

Task-03

Introduction

In this I am doing to footprint an organization by NMAP. I collect much information like port number, takeout, DNS hosting, server platform, etc. I provide the type of out put of the companies open ports, platforms, etc.

At first select a companies which information is collected? Then I select my online retail company. I complete scan in NMAP. I scan amazon.com. This way I scan and I collect information. Here I given below by screen sort-

Figure: the picture of ports/host of amazon.com

Here I see tow port number. There are 80 and 443. the port is open. Those port is use tcp protocol.

Figure: the details information of NMAP scans

Here I see the command, namep version, verbsity level, debug level, general info and scan info.

Figure: the picture of Topology of amazon.com

Figure: the picture of Host details of amazon.com

Figure: the picture of domain name of amazon.com

Figure: the picture of http service

Here I see the one port number is open in amazon.com. it is use the tcp protocol. The port number is 80.

Figure: the figure of https services

The https service is open. It is use 443 port. And it is use by tcp protocol.

Figure: the picture of host viewer

Figure: the picture of report of scan

Summary

In this task I am recherché a online company’s port number, DNS, host details and protocol. And I am discus this. It is very helpful to practical life to protect the company data. Because the Company is understand the site week point.

Task-04

Introduction

In this task I briefly include a password policy. I select what policies are relevant to this organization and why. I give the standard security policy element here. And I collect information in various sites for this.

Create strong passwords to protect data

Password strength is a measure of the effectiveness of a password in resisting guessing and brute-force attacks. In its usual form, it estimates how many trials an attacker who does not have direct access to the password would need, on average, to correctly guess it. The strength of a password is a function of length, complexity, and randomness.

However, other attacks on passwords can succeed without a brute search of every possible password. For instance, knowledge about a user may suggest possible passwords (such as pet names, children's names, etc). Hence estimates of password strength must also take into account resistance to other attacks as well.

Using strong passwords lowers overall risk of a security breach, but strong passwords do not replace the need for other effective security controls. The effectiveness of a password of a given strength is strongly determined by the design and implementation of the authentication system software, particularly how frequently password guesses can be tested by an attacker and how securely information on user passwords is stored and transmitted. Risks are also posed by several means of breaching computer security which are unrelated to password strength. Such means include wiretapping, phishing, keystroke logging, social engineering, dumpster diving, side-channel attacks, and software vulnerabilities.

Determining password strength

There are two primary ways passwords are created, automatically (using randomizing equipment) or by a human. The strength of randomly chosen passwords against brute force attack can be calculated with precision. Strength against other kinds of attacks is less precisely estimated.

Commonly, passwords are generated by asking a human to choose a password, typically guided (or restricted) by a set of rules or suggestions; an example is at account creation time for computer systems. In this case, only estimates of strength are possible, since humans tend to follow patterns in such tasks, and those patterns may assist an attacker. In addition, lists of commonly chosen passwords are widely available for use by password guessing programs; in a strong sense, any of the numerous online dictionaries is such a list. All items in such lists are considered weak, as are passwords that are simple modifications of them. Either can be quickly tried. For some decades, investigations of passwords on multi-user computer systems have shown that 40% or more are readily guessed using only computer programs, and more can be found when information about a particular user is taken into account during the attack.

Automatic password generation, if properly done, can avoid as much as possible, any connection between a password and its user. For example, one's pet's name is quite unlikely to be generated by such a system. A randomly chosen password is maximally likely to take the most time to discover using a brute force search. For a password chosen from a sufficiently large 'password space,' brute force search time can be made so long as to be infeasible. There are two problems with truly random passwords: we don't know how to generate them (only ones we think for various reasons are random) and they tend to be very hard for real people to remember and so to use sensibly.

The passwords are combination of letters, symbols, and number. Generate the variety of characters in my password, it is the good. I use at lest 16 characters or more. Use different type the key. Start with a sentence think of something meaningful to me. Long and complex passwords are safest to protect data. To adding complexity, length and symbols with password, like “idkDOFjdk1645154_12”

Protect my passwords from prying eyes. Here are some tips to help keep your passwords secret. These are

You never give your password to email.

You do not type passwords on computers that you do not control

You do not reveal passwords to others

Always careful to protect any recorded passwords

Use the various passwords of various web sites

Figure: the windows password policy

To protect computer date to unauthorized person for create password strong. To protect data it is very important. You have must be a password policy to protect you personal information. Without it your date is very helpless because different types of threat will be come. So if secure in the recent word hacker you will must be password policy and it is apply to you company information.

Secure password guidelines

Keep passwords and Pins secret. Don’t disclose them to coworkers or businesses (like an Internet café operator), or be tricked into giving them away.

The passwords should contain at least 16 characters.

The must be contain at least 10 uppercase or 6 lowercase letters.

It is given to at least 4 numerical characters

It must be have 2 special character

Password should not be given to personal information

Following of some tonic to give password

ANNIVE$0 - anniversary

UNBEND# 9- unbendable

@UNBEND1 - unbendable

UN#BEND1- unbendable

To protect network from intrusion it is good idea for system administrators to verify that the password used within an organization are strong ones.

Character selection and length

For a password of a given length, the number of permitted symbols determines its maximum possible strength. (See table above.) For example, the printable characters in the ASCII character set (roughly those on a standard U.S. English keyboard) include 26 letters (in two case variants), 10 digits, and 33 non-alphanumeric symbols (i.e., punctuation, grouping, space, etc.), for a total of 95 symbols. Because national keyboard implementations vary, there are perhaps 88 printable characters which can be used nearly everywhere. See keyboard layout. If the allowed characters are only single case alphabetic, an eight-character password will have 268 possible values (about 38 bits worth). With 88 allowed characters, a password of the same length will have 888 possible values (about 52 bits), a much larger number, requiring (on average) 16,000 times more work for a successful brute force attack. A single case randomly chosen alphabetic password of comparable strength would require 11 characters.

Summary

In this task I understand the common guideline of create strong password. How to apply that type of password. How to generate this type of password. I know the password police, and security. It is very effective to know to protect any company’s personal data.

Task-05

Introduction

Secure email is very important part in any company. Because for this sector a lot of date is transferred in this medium In this task I present the company how sent secure email to internal staff, customers and external business. I am researching a suitable solution for this and give it step by step.

Email

Electronic mail, commonly called email or e-mail, is a method of exchanging digital messages across the Internet or other computer networks. Email systems are based on a store-and-forward model in which email server computer systems accept, forward, deliver and store messages on behalf of users, who only need to connect to the email infrastructure, typically an e-mail server, with a network-enabled device for the duration of message submission or retrieval. Originally, email was transmitted directly from one user's device to another user's computer, which required both computers to be online at the same time.

An electronic mail message consists of two components, the message header, and the message body, which is the e-mail’s content. The message header contains control information, including, minimally, an originator's email address and one or more recipient addresses. Usually additional information is added, such as a subject header field.

Encryption

Data encryption has become a sad necessity for responsible data managers. However cryptography is jargon-heavy even by the discouraging standards of the IT world – symmetric and asymmetric cryptosystems, public versus private keys, digital signatures, hash algorithms, RSA, DES, Rijndael, PGP, MD5, SHA-1, https, secure sockets, Camellia, IDEA; what does it all mean? What are the differences? Relative advantages and disadvantages? Hopefully this article will clear some of the fog. Although we tend to use the words ‘code’ and ‘cipher’ interchangeably, technically they're two entirely different things. When you substitute each letter in a message for a different symbol that's a cipher. A code on the other hand means assigning a secret meaning to a word or phrase.

For example, if "The birds are flying south" means "Flee! The police are on to us!" that's a code. But the simple schoolboy “code”, 1 = 'A', 2 = 'B' etc. (invented, legend has it, by Julius Caesar), is a cipher, a substitution cipher in fact. So the ASCII “code” is actually a kind of cipher for example.

How to secure Email

Email messages are not protected as they move across the Internet. Messages can be misbelieved or intercepted and read by unauthorized or unintended individuals. Email can also be surreptitiously modified—even forged—creating the impression that a person made a statement that she did not. Ordinary Internet email simply does not provide techniques for assuring integrity, privacy or establishing authorship.

Email can be protected by restricting its movement to trusted computers and secure communications links, but such controls are not possible in a large-scale environment with distributed management. As a result, the only way to protect

Internet mail is through the use of cryptography. Yet even though cryptographic technology is now built into the email

When a mailbox is popped using standard POP3 protocol, the username and password are sent in the clear over the internet. This means, that anyone with the ability to "listen in" on your mail client's login session with your mail server can easily retrieve your username and password as well as read your email. In addition, once they have your password, they could read your email without your knowledge or permission or they could even send SPAM email from your account, possibly getting you into serious trouble since spamming is a crime in most Western countries these days.

The best way to ensure no one can get your password (at least not without going to a huge amount of trouble) is to POP your email using a Secure Socket Layer (SSL) connection. This means that all data exchanged between your mail client and the server is encrypted with a digital security certificate making it [pretty close to] impossible for anyone with malicious intentions to steal your email and/or password.

In order to send mail that is digitally signed, the sender must first create a public/private key pair and obtain a certificate certifying that pair. In order to send mail that is encrypted, it is necessary to obtain the public key of one’s intended recipient.

Thus, even when there are easy-to-use “encrypt” and “sign” buttons in a program’s toolbar, there can still be significant barriers to using that functionality. This state of affairs seems odd to the initiated. After all, creating keypairs is trivial: Finding hundred-digit prime numbers is a process that can be automated and run at the click of a button. The problem is what happens next: there is nothing to stop a user from placing any ame that they wish on the public key after it is created. This creates the opportunity for

Deception and skulduggery. The S/MIME system addresses this potential for deceit by

Requiring users to obtain a certificate from a well-known and presumably reliable CA, assuring that the name on each certificate really belongs to the entity that control’s the certificate’s matching private key. This is a complex process that frequently involves payment. For example: • VeriSign Inc., one of the best known CAs, sells a simple

Certificate called a “Class 1 Digital ID” for $14.95; these certificates expire one year after issuance. • Thawte Consulting Ltd., a VeriSign subsidary, gives away free “personal email certificates” from its website, but requires that individuals provide a “national identification number” such as a passport number, drivers license number, or social ecurity number—something that many users may not wish to do. Users must then click through more than 20 web pages (some with very difficult-to-find links) and answer complex questions such as “Charset Preference” which many users may not nderstand. Some time we back up the email for any king of damage. It is very easy to backup.

Summary

After complete this task I understand how to solve secure email. In this task I mentioned some way to secure email. And it is very helpful to sent email to company inter and external.

Assignment Summary

There are five tasks in this assignment focusing on various aspects of security. Each task requires a report of approximately 1000 words to be completed along to be completed with accompanying materials. I am expected to complete the task and demonstrate that I have acquired the following knowledge and skills:

I understand of common security issues and their corresponding solutions. My ability to analyses problems, identify security risks and evaluate alternative solutions

Now I describe various security standards. And I Understand of the security assurance processes and the benefits of security testing, as well as showing awareness of state-of-the-art tools and techniques for the purpose. I understand of the encryption technologies. Understanding of the protective, detective and corrective security controls in the main operating systems. And at last I define various security standards